Skip to main content
The External Secrets Operator integration allows you to push Kubernetes secrets to ngrok vaults, where they can be referenced in your Traffic Policies for secure configuration management.

Use cases

  • Traffic Policy configuration: Store API keys, tokens, and credentials that you can use to authenticate visitors with traffic policy actions
  • Multi-environment management: Sync different secrets to different ngrok vaults for dev, staging, and production
  • Secret rotation: Automatically propagate rotated secrets from Kubernetes to ngrok
  • Compliance: Use sensitive configuration data in traffic policies securely, without leaking them

How it works

External Secrets Operator watches for PushSecret resources in your cluster. When a PushSecret is created or updated, it reads the specified Kubernetes secret and pushes the secret data to your ngrok vault using the ngrok API. The secret then becomes available in ngrok for use in Traffic Policies. The operator continues to sync changes based on the configured refresh interval, ensuring your ngrok secrets stay up-to-date.

Limitations

  • Currently supports push operations only (Kubernetes → ngrok)
  • Pull operations (ngrok → Kubernetes) are not yet supported

What you’ll need

  • An ngrok account with API access
  • An ngrok API key
  • An ngrok vault created for storing secrets
  • External Secrets Operator installed in your Kubernetes cluster

Configuration

1. Create ngrok API credentials

First, store your ngrok API key in a Kubernetes secret: 
kubectl create secret generic ngrok-credentials \
  --from-literal=api-key=<YOUR_NGROK_API_KEY>

2. Configure SecretStore

Next, create a SecretStore that connects to ngrok’s API: 
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: ngrok
spec:
  provider:
    ngrok:
      # apiURL: Default "https://api.ngrok.com", for enterprise ngrok instances uncomment and use your API URL.
      auth:
        apiKey:
          secretRef:
            name: ngrok-credentials
            key: api-key
      vault:
        name: my-vault  # Name of the ngrok vault to use for storing secrets
Configuration properties:
  • auth.apiKey: Reference to your ngrok API key (required)
  • vault.name: Name of your ngrok vault where secrets will be stored (required)
  • apiURL: API endpoint (optional, defaults to https://api.ngrok.com)

Pushing secrets to ngrok

Basic push configuration

To sync a Kubernetes secret with ngrok, create a PushSecret resource: 
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: ngrok-push-secret-example
spec:
  deletionPolicy: Delete
  refreshInterval: 10m  # Refresh interval for which push secret will reconcile
  secretStoreRefs:  # A list of secret stores to push secrets to
    - name: ngrok  # Must match SecretStore on the cluster
      kind: SecretStore
  selector:
    secret:
      name: SECRET_NAME  # Source Kubernetes secret to be pushed
  data:
    - match:
        # The key in the Kubernetes secret to push. Leave empty to push all keys, JSON encoded.
        # secretKey: ""
        secretKey: MY_K8S_SECRET_KEY
        remoteRef:
          remoteKey: MY_NGROK_SECRET_NAME  # The name of the secret in the ngrok vault

Adding metadata to secrets

You can enhance your ngrok secrets with descriptions and custom metadata: 
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: ngrok-push-secret-example
spec:
  deletionPolicy: Delete
  refreshInterval: 10m  # Refresh interval for which push secret will reconcile
  secretStoreRefs:  # A list of secret stores to push secrets to
    - name: ngrok  # Must match SecretStore on the cluster
      kind: SecretStore
  selector:
    secret:
      name: SECRET_NAME  # Source Kubernetes secret to be pushed
  data:
    - match:
        # The key in the Kubernetes secret to push. Leave empty to push all keys, JSON encoded.
        # secretKey: ""
        secretKey: MY_K8S_SECRET_KEY
        remoteRef:
          remoteKey: MY_NGROK_SECRET_NAME  # The name of the secret in the ngrok vault
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          # See https://ngrok.com/docs/api/resources/secrets/#parameters
          # We currently support customizing the description and metadata for the secret.
          description: "This is a secret for the API credentials"
          # Metadata for the secret in the ngrok vault. This will be merged with auto-generated metadata.
          metadata:
            environment: production
            team: devops

What’s next?